Recently, I discussed the gap that exists between how well
we perceive ourselves to be meeting our customer’s expectations and how well
they think we are actually doing.
There is a gap…a significant gap. And we need to take immediate
action to help close that gap. And the best way to close that gap is to
communicate with our customers/clients/stakeholders — find out what they need,
want, and desire, and then help them achieve it.
In response to that post, Dariusz Stolarski noted that not
all needs can be met. “Sometimes my job is to tell the client that he is
Nailed that one Dariusz.
In our battle to get the eyes and ears of executive
management, get a seat at the table, and get in a position where we become trusted
advisors, it is easy to be so focused on building those relationships that
turning down any attentions feels like a step in the wrong direction. “They
like us; they really like us!” becomes more important than ensuring the right
work is being completed.
Yes, we must understand and be ready to respond to what our
stakeholder believe they need, but that is only part of the equation. There is something
more important than our stakeholder’s “needs”. That is the success of the organization.
And sometimes stakeholders are so knee-deep in strategies and decisions that they
miss how best to ensure that success.
That may well be the greatest value internal audit can
provide — to use our independence and objectivity to step outside the quagmire
of execution where most executives reside, providing new and different
perspectives on potential risks and responses.
Here’s an example you may well be experiencing. You walk
into a board meeting and ask “What can internal audit do to help?” Instantly,
you are buried in an avalanche of cybersecurity risk accompanied by the
request…nay, demand…to throw every resource at internal audit’s disposal into
this end-of-times situation.
No doubt, cybersecurity is a worthy foe. It is number one
with a bullet on the risk hit parade; what all the cool organizations are
worrying about; the talk of the town; the cocktail party conversation of choice;
and the go-to word for countess headlines, clickbait, magazine articles,
conference topics, and watercooler talk. It is the bee’s knees, the cat’s
pajamas, a corker, crackerjack, far out, groovy, rad, tubular, kewl, sick, and tight.
It is what every board fears and every board wants to know about.
But, worthy foe or not, that doesn’t mean cybersecurity is
the single most important thing internal audit should be doing. Internal audit
has to have the bravery to say “No” or, at the very least, “Let’s hang on a
minute.” No matter how important, popular, or flamboyant the risk, internal
audit’s role is to look at all risks — not just the latest flavor-of-the-month —
and determine how resources can best be used.
If cybersecurity is the biggest risk, then there is the
potential (note, only potential) that it represents where a good hunk of resources
should be allocated. But if there are other risks as important, or important
enough to also warrant the department’s time, then internal audit has to go to
its stakeholders and have a serious conversation that will include the word “no”.
The stakeholder may not like it. But it is the right thing
I’m just using cybersecurity as an example because it seems
to be everywhere. But it could be anything from blockchain to reputation to
brand to financial statements to petty cash. Just because the customer/stakeholder
asks for it doesn’t mean we have to deliver.
As Dariusz noted, an important part of our job is sometimes telling
our client when they are wrong. And that is where an audit department can
exhibit true professionalism and bravery. Just saying no.